On 29.12.2004, at 16:45, Peter Lacey wrote:
On Dec 29, 2004, at 6:06 AM, Timo Sirainen wrote:
And there was talk about auth_user in this thread too. The most important thing with it is that it must not be the same as login_user
Okay, I didn't know this. So the imap-login process should run as user1 (not "root", typically "dovecot") and dovecot-auth should run as user2 (could be root, should be just privileged enough to access the auth_userdb and auth_passdb, which in the case of LDAP is anyone).
Here's the question, why is it important that these two not be the same user?
Well, it solves more of a theoretical problem with not-so-great importance, but Dovecot is full of that anyway :)
The point of the login processes is that they try to keep the rest of the system safe even if attacker is able to run any code in them. This is because they are chrooted into (almost) empty non-writable directory and they run as user which has no privileges to do anything.
If you run dovecot-auth as the same user as the login process, the attacker will at least be able to kill your auth process. Probably nothing else though, since OS treats it as setuid process. But there have before been many holes in OSes allowing access to setuid processes..
And the reason why I'm expecting login processes to be the most attacked process, is because it runs all the SSL code, and that's big and complex and probably still has (or will have) some security holes allowing arbitrary code execution..